Is there a module or way to create a Guest Access Lobby on the ASA 5525? We currenly leverage the WLC to do this for us, but are moving to a routed access enviornment which is causing some issues. We would like to offload the guest access responsibility to the ASA if possible.                  Â
View 1 RepliesWe are suffering an issue with ASDM 7.1(1) on a 5525-X with 9.1(1) software. In the Configuration --> Interfaces window, I can modify parameters on physical interfaces, I can modify parameter on subinterfaces, but I cannot create new subinterfaces or Etherchannels through ASDM.
Â
When I create a subinterface, entering all parameters, interface name, vlan id, security level, etc., then I click on "Apply" button and nothing happens. It doesn't send anything to ASA. If I click on another window, ASDM ask for applying changes, I click on it, but nothing is applied and window doesn't change. It happens only when creating new interfaces. If I create them through CLI, then I can modify parameters without any problem.
Â
I have tried re-installing java and I have tested with 6.31, 7.9, 7.11, 7.17 Java versions, from Windows XP, Windows 2003 Server and Windows 7 computers with same issue. Also with Linux Mint distro with IcedTea Java.
Why do need Cisco NAC guest server when we have WLC 5508 already configured. The Guest user access can be given by the WLC itself too. We can create users in WLC also and grant access to the user to access internet for specific time frame. My query is - what is so different in Cisco NGS that it is considered good in terms of Guest users access. What are the advatages of NGS.
View 4 Replies View RelatedI have two 5508 WLCs. Both have APs attached to them. If I create a guest account with the lobby administrator on one, will that user account be able to log in to the network if the client is attached to the ohter WLC? So far, I have found that I need to create the same user on both WLC's, in order to have the user login.
View 2 Replies View RelatedWe've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
View 3 Replies View RelatedI have a cisco 877 configured foir lan to lan between sites A and B. I have used vlan 1 but looks like i have to bvi1 if i need to use the wireless,what is the difference between bvi and vlan. if i wanted users on the same vlan and wireless what would be the base config ? at the moment all corporate traffic goes to site A and other traffic goes to internet. now would i be able to create two ssid, one for corporate to access corporate subnets and the other for guest access alone where the traffic goes out to the internet.
View 1 Replies View Relatedhow we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?
View 1 Replies View RelatedI have read that it is possible to migrate from a 525 to an ASA via a upgrade to pix asa version 7.0 then using the migration tool once copied to the new ASA 5500 series, but i have alos read in a forum somewhere that a migration from PIX to ASA 5500-x series is not possible,, is this true ?
View 1 Replies View Related We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where we are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the web server IP. The firewall get hits, but web server page is not being displayed. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
Â
                         |INTERNET|
                                |
                                |
                        195.201.55.X
                           [ ASA ]
                         Natting to
                        10.100.100.151
                             [ F5 ]
                               |
                             /Â
                           /     Â
Real Servers---> .150Â Â .151
Â
Â
NAT Config is; nat (DMZ1,OUTSIDE) source static 10.100.100.151Â 195.201.55.X.
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies View RelatedMay I know how to configure for remote accessing ASA 5525 via ssh?I have issued the following commands
Â
ssh 10.60.0.0 255.255.0.0 outside
ssh 10.60.0.0 255.255.0.0 dmz
ssh 10.60.0.0 255.255.0.0 inside
ssh timeout 5
Â
but I am not able to access ASA via ssh. Do I need to add any other command
I have a PIX 515 with version 8.0(3). We buy a ASA 5525-X for replace the PIX.
Â
The question is, what is the better method to migrade the configurations? Manually?
What is the better version for 5525-X? 8.6.1?
We have a customer that has a ASA 5525-x reporting only 4g flash memory rather than 8g has any 4g version of the 5525 or is the IOS reporting incorrectly the size, as it seems to be embedded on these units as a USB disk internal.
View 4 Replies View RelatedWe have a 5525 that has not been deployed to production yet so we're using it in the lab. I want to lab some upgrades from 8.2 to 8.6 for some customers but the 5525 comes loaded with 8.6. Would there be any problem with reimaging the 5525 with 8.2? I'm just not sure if there would be an issue with this new hardware running that old software.
View 3 Replies View RelatedI'm about to upgrade from an ASA5520 to ASA5525.
View 1 Replies View Relatedcould i create new guest accounts via CLI? i know that via GUI with lobby embassador account i can create them. I have WLC 5508 (7.0.116).
View 7 Replies View RelatedI have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.If I point the web auth at the internal WLC page using a WLC local user account it works.If I set the guest access to pass through it works without issues getting dhcp and dns. On the ISE is there a policy needed to say if guests are web authenticated give them access? The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with.
View 1 Replies View Related(WLC 4400) which enables employees to browse to a custom made webpage, where they can create an account for company vistors to access the internet. It's important for the employees not use any login credentials, they arrive on a webpage where they specify the login & password which the vistor will enter to browse the internet. Is there any good link to documention about this topic?
View 3 Replies View RelatedWe are using MS System Center Operations Manager to monitor network devices.  We are trying to monitor our Cisco ASA 5525-X firewall interfaces.
Â
We have a generic management pack installed that seems to work for parts of the 5525. We can see performance info for IF-4 but none of the other interfaces.
 Â
Our Management Pack is a generic Cisco Adaptive Security Appliance Version 9.1(1) management pack.
Â
Is there a management pack that is specifically for this Cisco firewall? Â
I am in the process of upgrading a client's firewalls from 5520s to 5525-Xs. I have 2 independent firewalls that are merging into a single firewall. Both of the source ones have a TON of user accounts defined for remote user VPN, is there any way to move these user accounts with passwords in tact?? The goal is not to have to tell the 250+ users that they need to reset their passwords at once.
View 2 Replies View RelatedI wish to establish a private and guest network for a local business. They have Verizon service with its wireless router plus their own personal wireless router.The Actiontec mi424wr (rev i) wireless router is connected via Coax and will remain the first in line so as not to disrupt the set top boxes (STB) channel guide and other features managed by the Actiontec. The radio is active with an SSID of "ABC-Private" and its network is 192.168.1.xx. The thought is that only business personnel will connect to this router for internet.I have connected their Linksys WRT54GS to the LAN port of the Actiontec, using a static IP which I have allocated in the Actiontec's DHCP pool for this purpose. This radio is active with an SSID of "ABC-Guests" and its network is 192.168.2.xx. The thought is that only patrons will connect to this router for internet.
My overall goal is that business personnel will have unrestricted access to the internet AND to each other¦ while patrons will only have HTTP and HTTPS access to the internet¦ and no communications will be permitted between the two network subnets. I realize there are hardware firewalls designed for accomplishing such a goal, but the business hopes to avoid the additional expense, if the aforementioned model can provide this capability.In order to accomplish this goal, my remaining tasks as are follows:
1. On the Linksys, permit only http and https traffic (and whatever else the patrons would need/want).
2. On the Actiontec, deny Linksys IP address access to everything except for the Actiontec gateway.
I have an ASA 5550 at our main site with an external ethernet interface to our ISP for internet access. I would like to allow 10.100.41.x/24 http / https access but block this network's access to all other internal networks including 172.17.x.x,, 10.100.1 - 40.x, and others. I'm having trouble identifying what IP address to use as the desitination for the permit rule for access to the internet. The rule that comes after the permit is to deny 10.100.41.x/24 access to internal network addresses.Â
View 1 Replies View RelatedJust started using our ASA 5505 v8.2 (1) Trying to configure the ASA appliance to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).I have used a static NAT:
static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255
 access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389
Â
When I view the logs it is reporting the following:Inbound TCP connection denied from 206.100.100.1 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.Been pulling my hair out with this one as I believe I have everything configured correctly.
I cannot sponsor a guest account using his/her email address. When I try to create a guest account, its show as file attached.
Â
For example,
Â
email.m@email-me.co.xx     ->>>>>> cannot create
email.me@email-me.co.xx   ->>>>>> can create
Â
ISE version 1.1.1.268
Patch version 1
I'm able to to create my main network, but unable to create guest network. Already create CP and when connected to the guest SSID, the guest could still see my main network. How to create Guest network?
View 1 Replies View RelatedI recieved my IPS module license for my ASA 5525 . I enetered the key via the ADSM and it prompted me to restart the firewall .. After that i cannot get into the firewall via the ASDM .Â
View 3 Replies View RelatedI need to setup an ASA 5525 in Active/Standby failover mode. I am setting up the ASA for a company that purchased only one public IP address. The public IP address is assigned to the outside interface. My question is will failover work correctly if I don't use a secondary IP address on the failover configuration on the outside interface?
View 4 Replies View Related We have an ASA 5525 running version 8.6(1)2 and a 10 MG pipe. I have execs that want to limit bandwidth on users for stuff like youtube, stream media, and downloads. I found the article on ‘Bandwidth Management(Rate Limit) Using QoS Policies’ so it appears our firewall can do what we want. I’m not a cisco person. My knowledge is limited when it comes to configuration – that’s why we have SmartNet.
Can bandwidth be limited on end users and/or can they limit the ‘bandwidth rate limit’ to just youtube, steaming media, and downloads? If so, what should the limit be? and I’m assume this would be for ‘incoming’ traffic only? we’re running into some bandwidth hogs – usually youtube and/or streaming media. We have a Barracuda web filter which we’ve used to block and monitor activity but I simply do not have time to babysit this all day. I should also mention we do have critical data running up and down the pipe; such as credit card processing, DB replication between in house DB and hosted website, TPCx and EDI, FTP, and such that we don’t want restricted.
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
View 7 Replies View RelatedThe old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255  Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
View 11 Replies View RelatedCould I configure and connect 3 Dell switches to an ASA-5525 Firewall which has got 8 interfaces.
View 7 Replies View RelatedI have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
Â
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Â
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Â
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
Â
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
Â
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.